6bf8ae40761fd741db274fdf8f607398d5e305ea68beb57269295f604384ab82

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79ca9927b27dd151523f89934b2f46e0N.exe
Size

88KB
MD5

79ca9927b27dd151523f89934b2f46e0
SHA1

f761a927de5c19d9147ba9075e75317bffae67eb
SHA256

6bf8ae40761fd741db274fdf8f607398d5e305ea68beb57269295f604384ab82
SHA512

83a0fafdc8b1d80f79a1a5ce5ca2192f72a53217d7fe0bff88b5ba2cb979297413fa59ccad02ef9af67f3d556a37c249629b557fe7a7b508b934cb591dcdaf82
SSDEEP

1536:W7ZhA7pApH9QHwtRF9ESWu0SWutlggalggyaRjvmujvmRzqzlmJgwmJg/S2:6e7WpHIyRF9ESWu0SWuDm841qL

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4526) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationCore.resources.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\optimization_guide_internal.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-pl.xrm-ms.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClient.resources.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\net.properties.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.DataContractSerialization.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l2-1-0.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationTypes.resources.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsBase.resources.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsBase.resources.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsBase.resources.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp	79ca9927b27dd151523f89934b2f46e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79ca9927b27dd151523f89934b2f46e0N.exe

C:\Users\Admin\AppData\Local\Temp\79ca9927b27dd151523f89934b2f46e0N.exe
"C:\Users\Admin\AppData\Local\Temp\79ca9927b27dd151523f89934b2f46e0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
88KB

MD5
27c3af87e3f049d05e68222ba4662ed0

SHA1
300b1de387daae9d0c536ab87f209c092dbc2481

SHA256
ba86f280b7c77dff2703a01af924f58dc8601bff80743b8eb4b52037cda8c134

SHA512
8b26d3bac6fbc3924195c1fc03d6cfba964e08a64a41ad8b62cf05267221903e739841c7f233e9fd9d4297fb59eccb367f086f2884077fa38338df74bf95a6b9

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
187KB

MD5
e0c63dc1fa7a6cd64429750c47f11e2a

SHA1
29367d961fc6cad2f2f3bf2af6627c878f8464d3

SHA256
9112308ddea656e49d3903f770ccbe2fc6d872e00f12cbeb7adb542f58f29672

SHA512
628b87e4e31a23b67e309b1c467a94a12d14f095b98a50bdd854b51e72f22294cf6f41de80e88493875980e2a47c5d19fa790c1bebec6c48cc38f8b507b174bd

Download Submit