9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14

Analysis

max time kernel
150s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
Size

70KB
MD5

0c4e72a59fdca6d213d1dae9b4c38cd4
SHA1

b1c8b43c75385ec3e94f54f2dfdbbef64595e00b
SHA256

9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14
SHA512

924a57dd6fe8db2c3fef8d4f4d9b7e72017bdd05f766bd7d7b3973408cd871d75c701cf4f0661b62b80c01e2629b26f223950e2159fb65a75c15c9a1a1812dcd
SSDEEP

768:W7Blp2sspARFbhJpupZ5pZ4+fTgTvlK1lK6RZR+8/8gClurYClur4Rh6NtRh6NJ:W7Z2sspApkZrZ4+fU7lK1lKT8/8MqlqJ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5196) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Formatters.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationUI.resources.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White.png.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TextWriterTraceListener.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\ReachFramework.resources.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Java\jre-1.8\bin\jawt.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\TimelessResume.dotx.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxil.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Java\jre-1.8\bin\lcms.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\openssl64.dlla.manifest.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.CoreLib.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoBeta.png.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l1-2-0.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SignalRClient.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_upe_sdk.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\santuario.md.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-pl.xrm-ms.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OMML2MML.XSL.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\ReachFramework.resources.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWDB.TTF.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\BloodPressureTracker.xltx.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\CloseResolve.png.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClientSideProviders.resources.dll.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellModel.bin.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OWSSUPP.DLL.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.tmp	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe

C:\Users\Admin\AppData\Local\Temp\9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe
"C:\Users\Admin\AppData\Local\Temp\9831c542a4de698ad93f8595c260d9a169b64bd1fdada388b7b3e26f3e5a9c14.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
70KB

MD5
893999b3b9c7edca24e7d2feca77ed43

SHA1
7de7ec1ec0423ecb9db9d4cc7269d5a9d6a660c5

SHA256
2a63903398fe4fe9711f0e39a1c0120dae98101c7064e1c06793b53d1f7248a4

SHA512
4df5f27ad34040ae3183f02f9bdf3b829f9f367a1bf6685bffa575bbe228e738cb2e45036e07fb7f7cfcce4108a347d84c827024533d42d8f628a86aabf63bb0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
169KB

MD5
a3cf555c3dce54ad642ca3ae10a067ca

SHA1
f54996c103599b59edd371f176acdcd42662ab19

SHA256
a14c40114c19eb08c9af5209b08d83e1dd0321e57ebd27be43bb505f4c94bbc9

SHA512
e3fcaf01fb1f30efb7bf51a003d92628ab32bdaa8d39bfb74940baa7d0e666a4b885d790cb78bc4b6216de7ad409bf16f22ba12b9075769e62990067aa3aad1a

Download Submit