9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
Size

40KB
MD5

b50bf8620a021c016487bce8ee6f0118
SHA1

b07d0ad33d8a8aaa57c81133dde7d501d737add5
SHA256

9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b
SHA512

1bc68c59abe64cccb7ff0b69796cd0a4eebe45118bb7e4c62e224a3315a55c48a94339a15e651521aaf4f061f9afcf6161e233d9f5b0f74dbfa4acbc43c9a618
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLUtX9k:W7ZppApBULcfpHLcfpyD3tX9k

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5197) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Handles.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsFormsIntegration.resources.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.resources.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClient.resources.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClient.resources.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Design.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-oob.xrm-ms.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationProvider.resources.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.Forms.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\MySharePoints.ico.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TraceSource.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Extensions.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe

C:\Users\Admin\AppData\Local\Temp\9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe
"C:\Users\Admin\AppData\Local\Temp\9e54384049bcee9e7905100f2b3094f6087fec17502e3c43f3316d28a198c16b.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
40KB

MD5
1b218f33338616cbcc6ecb37bbbd4d4b

SHA1
3d30f2d6027efc01eaa83f1de14be4d45db8e402

SHA256
4fa188ed4e58b1b41760e2f3a0a6fc0245e37309a34ff9e6f348ae378002b71d

SHA512
5f0ae500217da054924d5ad9c19270422cec6e7ecf9f12896bd219cff2a545053b5fe29ec8496c157fd0db1776714ae99ed70018573b0fe6fc7c546475859ce2

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
414ee6b5325d13f0b70ed94850ecd277

SHA1
41aebf023e2734bb5e53a5685b8a5ec0033aad0b

SHA256
50761f8c7011bc62ed29e8aad1b93206e29b817552ecb3f737f1719cf7cceee2

SHA512
634ffc7ed89db0e53544915f79b5b5f98c6905a120ffa4e261d7e6ecab187cfdd6caffd2d7f5a000604151e4f75f8ae0db56e428fa23190dbbdd49dabf61c2a5

Download Submit