6d1d04cb17f1640b9a89f9ab85997b7d1876da1936e41b5cd643e496a893f3d5

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 15:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

922c9a0868470b864789520a38d0da70N.exe
Size

39KB
MD5

922c9a0868470b864789520a38d0da70
SHA1

8454a43b47dda7b62949ff2b378d82d3732c98cd
SHA256

6d1d04cb17f1640b9a89f9ab85997b7d1876da1936e41b5cd643e496a893f3d5
SHA512

4146d4a81ac9a55494779922f06fc544ae74c7c4205a333b064e808a00f664898b0e34937fa0821d74c781def60c961f42f63d7be33b64a6a3c730c38a9fb79d
SSDEEP

384:GBt7Br5xjLdbAAgA71FbhvU8g0U0fL+jnK1q1K1qflYxlYnq:W7Blp+pARFbhBgnKL+LK1KK1RAq

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4643) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Java\jre-1.8\lib\flavormap.properties.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-ms.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationTypes.resources.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Asn1.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Java\jre-1.8\bin\zip.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-oob.xrm-ms.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\LICENSE.txt.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-oob.xrm-ms.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-ms.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\eula.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Security.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Xaml.resources.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Design.resources.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.resources.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Pkcs.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationTypes.resources.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxcompiler.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.DataWarehouse.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClientSideProviders.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-string-l1-1-0.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Threading.AccessControl.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.tmp	922c9a0868470b864789520a38d0da70N.exe
File created	C:\Program Files\Java\jre-1.8\lib\currency.data.tmp	922c9a0868470b864789520a38d0da70N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	922c9a0868470b864789520a38d0da70N.exe

C:\Users\Admin\AppData\Local\Temp\922c9a0868470b864789520a38d0da70N.exe
"C:\Users\Admin\AppData\Local\Temp\922c9a0868470b864789520a38d0da70N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
40KB

MD5
8f89b2999d47db4a2674c9b817d5a27a

SHA1
c87722185cd706996e7cb796e71e38292483c7dd

SHA256
b0bbb90382982724f7bf683ede7025b27f2f2e2c2796d386fbb7e063c17ac1a5

SHA512
14e87e947b8c85db7f6ea690c41a0f66784f96e31fc927bd9b518ac588e3f6feb6f9d39b76af552473548d22751e03eb7359759b8ca179c61a8a8ee604ed5101

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
138KB

MD5
ef4a0a339a05dccd9a4a579cc9ac768e

SHA1
f839a3684f2623a7ec96378395531ea14b50972a

SHA256
9f3fc808dbbd07efe1f77f90f01e5c0f84bf976dcdbdd94f2762794789de08fb

SHA512
b22fedf48250d6e769e360c26787054cb39b9cd3874d9839857c6ff738ba775859df2324137cab12d9fd25a92349b29547640a1c2a3ab831e86e410298f4cbf5

Download Submit