7d1de196b05849135b9c465226f7c1094ced095c98824bfc11d032e165db45ad

Analysis

max time kernel
120s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 11:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6c1d2f27da35f12ed23e9231b33a77a0N.exe
Size

40KB
MD5

6c1d2f27da35f12ed23e9231b33a77a0
SHA1

94566f37a9eb5d5199fbe862d967c0fd50d9942c
SHA256

7d1de196b05849135b9c465226f7c1094ced095c98824bfc11d032e165db45ad
SHA512

0783e756b6f32cd9cc00c3c36f1a49ed8e33d39748745cb12544ea3fab3ee0b42cbb3f42b3000293ca036f2665dae14594687480bfc69b3fdec243ff538f90c2
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLi:W7ZppApBULcfpHLcfpyDx

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4691) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationFramework.resources.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.Design.resources.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Xaml.resources.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AdeModule.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.resources.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_d3d.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ospintl.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ppd.xrm-ms.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Primitives.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\README.txt.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationFramework.resources.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationFramework.resources.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationProvider.resources.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationUI.resources.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsBase.resources.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationCore.resources.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ppd.xrm-ms.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationCore.resources.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nl.pak.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javafx_font.dll.tmp	6c1d2f27da35f12ed23e9231b33a77a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c1d2f27da35f12ed23e9231b33a77a0N.exe

C:\Users\Admin\AppData\Local\Temp\6c1d2f27da35f12ed23e9231b33a77a0N.exe
"C:\Users\Admin\AppData\Local\Temp\6c1d2f27da35f12ed23e9231b33a77a0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
40KB

MD5
69fdb053c9cc70806c3dfecc24450492

SHA1
c57565a6cce168b3de01d5bea84f83134f6d076e

SHA256
e1378d8112462fbf3f40310b18a28ed427cd4e8bc7fa300d78ef6965dfa7d281

SHA512
e6f646925eb371d1d613024f60a2d914d79dc7c2f3e600225aee72560dab9624c0df0f3625455642d08dd0ca5b4d19c5f30193d4b224923cd25b541f43059e2f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
f0548cfa8ebe1202044f6852f57a0170

SHA1
7862a7359774446247792b0548e7a3a6aa0c5313

SHA256
19fbec1d46c1554cf28abfecd624c23c966bb283f993940dc25ba84f26177635

SHA512
763002959fca15fe01457cfb351abb95b5f5089f202a16bebb820b3d904afe8fcde27fd84dd5f27b6a6d9ff6991a26f4e640a3f13bdd4e4523e1b7afdaa15454

Download Submit