3a3aaef4d85cc0ceb950f8657345f7b4393447fcb434cf048ddc7184fc0ad544

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9079a0e543032d6f4a574704f5ef5220N.exe
Size

36KB
MD5

9079a0e543032d6f4a574704f5ef5220
SHA1

b038216af579a0f7a30e83dc4a8416bcb72d9568
SHA256

3a3aaef4d85cc0ceb950f8657345f7b4393447fcb434cf048ddc7184fc0ad544
SHA512

b5ffddf3bd87468c13b1a660c87a095b34c590b7457ae94017d5fdd37a1c3259e24bbae9bf3d523e9ceac1cbfd5f99ca3ff9e7704320a4303a2e475de4bb78fb
SSDEEP

384:yBs7Br5xjL8AgA71Fbhvszw5joPWjyjoPWjg:/7BlpQpARFbhewB

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4704) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Annotations.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Channels.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ms.pak.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\C2R64.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\msipc.dll.mui.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsBase.resources.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationProvider.resources.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Extensions.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\he.pak.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jvm.lib.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\meta-index.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Controls.Ribbon.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSVG.DLL.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Common Files\System\ado\msado15.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_elf.dll.tmp	9079a0e543032d6f4a574704f5ef5220N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9079a0e543032d6f4a574704f5ef5220N.exe

C:\Users\Admin\AppData\Local\Temp\9079a0e543032d6f4a574704f5ef5220N.exe
"C:\Users\Admin\AppData\Local\Temp\9079a0e543032d6f4a574704f5ef5220N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
36KB

MD5
9476a86a444589583382a4518acadffe

SHA1
e650bc29bf11aae12c70706a62e715acbb3dbf69

SHA256
a4137ae9e2b0aff9ed7126ce4df62ff4c692fce0edfa6fbdc01cfb1ff2581358

SHA512
9e40d2e3c25f6043e5f655a9a7daea9d4e4687bf9696efcb049a64a40787ef3f871270be2962da8a29068f22208a4c3f5c2f8e22b98b90b83f1cad1a023f73b3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
135KB

MD5
6668012a31a7ef8b59babd42bfb28531

SHA1
6ae569a3e24c6fbf326fea9ffa24f396a83fc8a4

SHA256
b01bcad27db960ec2ed2d450b89435f5bc23360055bde7034a2efd6ac46b4a5b

SHA512
63c70ecae1091ec7eee233d4562c7fc4e8a8fe0d0993b948cb9d54e12a1bb43bc3720d28b93deb165b69dfcbd123bb0b1cb50ae0b7654c16bd29b5a8d994ab09

Download Submit
memory/4764-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4764-1010-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download