Analysis
-
max time kernel
119s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 05:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6c985afa9df81e732bc9405f36185430N.exe
Resource
win7-20240705-en
windows7-x64
3 signatures
120 seconds
Behavioral task
behavioral2
Sample
6c985afa9df81e732bc9405f36185430N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
120 seconds
General
-
Target
6c985afa9df81e732bc9405f36185430N.exe
-
Size
47KB
-
MD5
6c985afa9df81e732bc9405f36185430
-
SHA1
1687983fdab790adb7ab08e7844114ddca749fbc
-
SHA256
f967edf23e91bf290984faf6abf619ffb9487ba07719c4bbdd7d6ae9b5e79d50
-
SHA512
43249a2013f5582801c5deaceb583a2f788f858e4a4c8330862c0710bd4bbd03c9c6141b0f2cbf48c49db57d22d9056a242ce0c976106fa2104c2ae3704b2e25
-
SSDEEP
768:W7Blp2sspARFbhVgNNHpQRNHpQRLYyBwaZLYyBwaZs:W7Z2sspApctpQRtpQRTVZTVZs
Score
9/10
Malware Config
Signatures
-
Renames multiple (4673) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-process-l1-1-0.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellLayoutModel.bin.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\7-Zip\Lang\kab.txt.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Office16\msotdaddin.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\XLINTL32.DLL.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Office16\mscss7wre_en.dub.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Office16\INTLDATE.DLL.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.CodePages.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_de.properties.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-pl.xrm-ms.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationProvider.resources.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.Messages.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.DataWarehouse.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.RuntimeInformation.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClient.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-ms.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Controls.Ribbon.resources.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp 6c985afa9df81e732bc9405f36185430N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6c985afa9df81e732bc9405f36185430N.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD5f81954ecea282cf5676f4478fafceacd
SHA1a4e3fd17bf6893af51d66e980e7ab1377eba1776
SHA256155fac985866027c801baae60ae38f6181cfb951949ff9cca8ede67963d98b96
SHA51214f5c808e0de61dfe22e6d129d8ad4b98816fd545d7d97a6a690f97f4a9bae296fe920ff254ddd66c8629706a779158e04ae920abfc1f2c92367afa4a5710547
-
Filesize
146KB
MD529d7160e7512f4664a476d8db1661053
SHA163f7aa58737fb2bbc245940fb66151a945a5de7b
SHA256428beeaef97b49c0cd07a0fab4947cbc3b12e1183d63a748942becb3e877b24a
SHA512e15fff53e5db3ecc06d8878f68b9b6466c4185fd7c833b55cb4e185c8d6c626fb4be77160ee188ec143249370250f7a341a98d41601ace34101096dcb9242623