6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
Size

78KB
MD5

d64d3b6a9294d7097d91133c1c7c443b
SHA1

7bde1b266569acbf09f206fa767741234817cdae
SHA256

6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009
SHA512

a8b0adc7760f52bfb8e530a6f136620160084fa56017398b4a48d127487e455e3ad5a79096558ad62e3b5f084a258b7913c14d5f98eff3dad5b30c6227d22d78
SSDEEP

1536:/7ZQpApze+eJfFpsJOfFpsJeFrxFrd46w:9QWpze+eJfFpsJOfFpsJ0rDrNw

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5103) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ppd.xrm-ms.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.resources.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\am.pak.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\dom.md.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\msipc.dll.mui.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Parallel.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_200_percent.pak.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ro.pak.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\eula.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ppd.xrm-ms.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7fr.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ml.pak.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.Messages.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-TW.pak.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xsl.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\desktop.ini.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.boot.tree.dat.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\MSO20SKYPEWIN32.DLL.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemDrawing.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Design.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe

C:\Users\Admin\AppData\Local\Temp\6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe
"C:\Users\Admin\AppData\Local\Temp\6e820f4f7606d0bd071b2efc6c269ee9412d29e84b7f570810017afff608c009.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
78KB

MD5
4f2bdb8f7824e636e1d4a6f024d7aa53

SHA1
47a1ef3ef4be073e0b56932514bec87ecec591d2

SHA256
1281a2cd86cc646bd45efb8adb5f856ace31c775224d91e83a1958b225275b20

SHA512
3acb59bc16f2a028ada826db1ff151d39c5a60c53fdc52e24ca7aba47dc7016fe6d884ead6fdf41ffe6750689eb9e65957891f09ba87d05486e36e5f5d3bf9c1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
177KB

MD5
761eb52d8d4faad7581273cf14f48e26

SHA1
d4ddfcc41654b92d16be3c5f2cd7621cc64fb6a3

SHA256
00d5b178cdd4c7684a5b70c4320975aeacb34db33030f4672860d6a38c426db1

SHA512
183b810a42f28fb9f878b235cd5abd06ef989a4dca39bb858bd9c806ef799d599c41fc1a82050375543261736b4e0719e19b13540194f66168d16b58d06d3cf8

Download Submit
memory/1236-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1236-1824-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download