6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
Size

231KB
MD5

420500118f002e0b3ffd46976b16152f
SHA1

8a752fac93381cfbc5b0f8a838ac79eb0a87d8c2
SHA256

6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a
SHA512

bd287c35de4953728dbbff7cc4f11d6b4efe5069d0bd7d528537f91098710d81c1ce228835712752b5fe43c629ebb2826fc293fc65f02846febad4566fd39a4c
SSDEEP

768:W7BlphA7pARFbhKKVeIuKVeIBt+OKObYhnKhnZS+2w4Vqx0VqxzFtF2TZ9:W7ZhA7pApBt+OKOsZKZZSjw4Vc0VcW

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4646) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationFramework.resources.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IGX.DLL.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\ConvertResize.cfg.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\D3DCompiler_47_cor3.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Immutable.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Input.Manipulations.resources.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEVI.DLL.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Crashpad\settings.dat.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Xaml.resources.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Localytics.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Contracts.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\dynalink.md.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Java\jre-1.8\lib\calendars.properties.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013.dotx.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe

C:\Users\Admin\AppData\Local\Temp\6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe
"C:\Users\Admin\AppData\Local\Temp\6b858dbd429d7c988ab41b244bcfca14ff34ba75db3305cce82e3cf6dacc882a.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
231KB

MD5
a203b2a9fd9ad3e02d0632868b0655a9

SHA1
11999e3ce998f8b244908db8cbeadcf7024e5f6f

SHA256
b01f91b263fd0f2780eeb9ac5269af43973135f995c13fff2b9197b1f1af0fa7

SHA512
0ecfdd46676cec124e68471bd298271b91264883c1ff5d13935f638646294777b65a67ad865fbad8e285ad88844db12a43dcfdbef725e1fe8532fd5935840fde

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
330KB

MD5
8aab5af2a9cf4efaf2e9abcc2f885f39

SHA1
cba7f3511b38b0641437e3af992428fe7c9a872b

SHA256
d5fc8d9f0d3ff676684ca1780b044cdaf0b9babdcfbe76fd2b243deb23edf0dc

SHA512
236f1942f5bbff0990304cd703b5554a17f45aec5cd63280ef436f7e03ad47b2d31d51fe7ea9de7b7f410ac5c6574c6181dd85a9c661fac209de48c075800869

Download Submit