9c531380721eec94492eb51c41e61ff189a7cfdf1349bad5d8f87469cfd324fe

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
Size

67KB
MD5

6d8991f0aadd7cb51f69ce9c269fc9c0
SHA1

81a60f30891e3f644b7ceb71d5d04764e1981048
SHA256

9c531380721eec94492eb51c41e61ff189a7cfdf1349bad5d8f87469cfd324fe
SHA512

46f8daeb30985314a889b997494ace07404707eb133fb39384e3ed102b3587397b6429977c77eab917b181885a600a23252a89db7a14455b8041639aa35453b9
SSDEEP

384:GBt7Br5xjL9AgA71FbhvuNBN10wpAp/lvolGClvolGWxY8SYs2oiLx3Fnx1xY8SE:W7BlpppARFbhbt7Y7WBp9/Bp9S94

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4656) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.DispatchProxy.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Design.resources.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\flavormap.properties.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\default.jfc.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.dll.sig.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\msipc.dll.mui.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TextWriterTraceListener.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemData.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.HttpListener.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\ReachFramework.resources.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlSerializer.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClient.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\msipc.dll.mui.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-pl.xrm-ms.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotd.exe.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Input.Manipulations.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-pl.xrm-ms.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.dll.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ro.pak.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml.tmp	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d8991f0aadd7cb51f69ce9c269fc9c0N.exe

C:\Users\Admin\AppData\Local\Temp\6d8991f0aadd7cb51f69ce9c269fc9c0N.exe
"C:\Users\Admin\AppData\Local\Temp\6d8991f0aadd7cb51f69ce9c269fc9c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
67KB

MD5
7e78fd04ed35172edc506a9b45cca67f

SHA1
b065a88fbb1389f6c4ab0e5d072629f9470d2000

SHA256
19adcb219ac8edfbd79f0d433571824b2900fe22194897f40cbc8a7d7134492e

SHA512
6488163c4903fdb49309afe2d02a2d42a1e314dce37849492e677b917ea23fc04708205ec5f8e63acf2e5fc5b0db4b367314740e6253eaf06bed98fabb4f1cbf

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
166KB

MD5
c088860d2136662f2df98ef3f06e9927

SHA1
fbaa33ffbd6a432130062ef7ef2c14aa99d62f40

SHA256
8ec769201e6c0ce0b3a715dd7d782b94676b505822c3f482f281621761185d33

SHA512
20f472f8f04f4492df29248bddabb36ee2c4dff7f2b1c5da3cd52dca7073822320223f286bf47783f0c9daeca883cd7178a7aaef85c4bcf7c49942d80ec25fb1

Download Submit