7954ed717b2e8c15c6d5b87fdc904715cf41611fa433a2f6a2970173224aade8

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76a9ca3d31fcaac01bc0d426954f0a20N.exe
Size

89KB
MD5

76a9ca3d31fcaac01bc0d426954f0a20
SHA1

467e8796065e4ee44710b76dcc29081bb8ea7989
SHA256

7954ed717b2e8c15c6d5b87fdc904715cf41611fa433a2f6a2970173224aade8
SHA512

4a4db0301863a269f3c0c935f4a5a5bd71605c5035da0971f8dd50aca24f323a449d3002e27d49516b1ad3b77f314d4381b1d127caa2c65c1ed03d4d60f5d1fb
SSDEEP

1536:W7ZhA7pApMaxB4b0CYJ97lEVqNR7Yge+eTdsdYSW8:6e7WpMaxeb0CYJ97lEYNR73e+eBSW8

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4527) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\icu.md.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Java\jdk-1.8\release.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ul-oob.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\da.pak.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.VisualC.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\csi.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-pl.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.ILGeneration.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationProvider.resources.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp	76a9ca3d31fcaac01bc0d426954f0a20N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76a9ca3d31fcaac01bc0d426954f0a20N.exe

C:\Users\Admin\AppData\Local\Temp\76a9ca3d31fcaac01bc0d426954f0a20N.exe
"C:\Users\Admin\AppData\Local\Temp\76a9ca3d31fcaac01bc0d426954f0a20N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
89KB

MD5
b953bad7ed34cb8c003248d40405a700

SHA1
b00854d1b499d42aa295eadd38f2bda2449d892d

SHA256
baa4287cd1d3d45e624d0457dbea1ffdb8000b0799b170bda350eaba46145dbd

SHA512
94c949b870708b39412f7be37c632eabf636007f448f06bb4ab5ba69edb937b7c6373b9af48f440ce6768f1c2818f8545d77068b87174c2b8acfd54b79b2776e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
188KB

MD5
a3ea4bf87f5dcde8474f70a39baaad70

SHA1
b42524163f064cd86ca330bec578b9e42ff8eda6

SHA256
a578ef3954544c8d3195e93e7816aa1f459d63416501dfd5810cd0214317b812

SHA512
8a2ba9e69836c4982319b57536a642504a9f192a5179888fabe38835a2f46e40be1100c5f07d6cb4d23a20c3e98c13fc9c8161ab6fea7f4030c091defde8d35b

Download Submit