d8dd46a8db97f8525e52b354fa325d6f7b2074688e61dfe06642b01839975082

Analysis

max time kernel
120s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9449bff502591593ea49f197683250b0N.exe
Size

38KB
MD5

9449bff502591593ea49f197683250b0
SHA1

a7bac343514b2bf3732ace91dc49fb261cbe9b37
SHA256

d8dd46a8db97f8525e52b354fa325d6f7b2074688e61dfe06642b01839975082
SHA512

a7c76c8f81d7f3e61aea84b8bc88d595c13f4fdf829dc80f25ad9973f7a50fc3a992008890ab9a354c0fd940ea8ec828aa7e0b066406049e7c820cf470cf0638
SSDEEP

768:W7BlpppARFbhknrzzA8JQ2AdJCzA8JQ2AdJWX0kXX0k8z:W7ZppApkGpJz

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4682) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-time-l1-1-0.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TraceSource.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\mfc140u.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Common Files\System\wab32.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jar.exe.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSBARCODE.DLL.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Input.Manipulations.resources.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ru.pak.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.Json.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-phn.xrm-ms.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClient.resources.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pt-BR.pak.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.DiaSymReader.Native.amd64.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\icu.md.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_fr.dub.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Design.resources.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Xaml.resources.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\instrument.dll.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp	9449bff502591593ea49f197683250b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	9449bff502591593ea49f197683250b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9449bff502591593ea49f197683250b0N.exe

C:\Users\Admin\AppData\Local\Temp\9449bff502591593ea49f197683250b0N.exe
"C:\Users\Admin\AppData\Local\Temp\9449bff502591593ea49f197683250b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
38KB

MD5
defd51d95a2f1fad7d9b35580f2c7129

SHA1
86df100b79b26f90dfbc17ff13aad0dbc3b492e3

SHA256
1536f246216863ce3460aa87b3e86b91f892cfe07de830ec442e280413c18971

SHA512
dbe32aca436733ba0d3b88b68bf3ce83fa72556a934840c9536faf8b5b35fd9c68a5e00b5e50eb8861322afc255e68da2e8d5864807dd39bc8a9af73ffa38b60

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
137KB

MD5
538d996e89ce303311f37eb2d5e903d8

SHA1
707db3b6832ea7ea64ef79ed38f7dedb957767cb

SHA256
f82d5882ff0de5a6afe0dcf6fb2c6b375d4e5b38ca74d7d80166773a8919e1c2

SHA512
59d1ba6da17e3e94a040fda8cd880649705a12687b9abcf0c68de66e9343de5b5e1de72e55976fa7f5ab0e59e400a90714925b57613afb323faeda0cc79da2d4

Download Submit