02651423b497b467c844f19bc4fa5a5e502d7d10c829557b7b5daec4fdb251bd

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 10:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

94cb2fe50ad199901eabb2f955bc5780N.exe
Size

73KB
MD5

94cb2fe50ad199901eabb2f955bc5780
SHA1

79252447e3c9468d11671880f67d78441960e694
SHA256

02651423b497b467c844f19bc4fa5a5e502d7d10c829557b7b5daec4fdb251bd
SHA512

84ced790dc6a4f6776a55e22f0b90c0f79f40df2696ba5b07d15d11606c3c459a6080d9b1b80fbc48247253e9da6022aeacb1d1261441d55b084f1ba9cc1b461
SSDEEP

1536:W7ZppApwEwnmJARJAaXxXNJdkCKPuJdkCKPf:6pWpUnDXxXs

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5021) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.resources.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationUI.resources.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-stdio-l1-1-0.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\bn.pak.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationCore.resources.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationTypes.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pkcs11.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.Extensions.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationCore.resources.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsBase.resources.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnOL.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DBGHELP.DLL.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-180.png.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000A.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.TypeConverter.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationProvider.resources.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\ApproveDebug.pptx.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.Common.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.deps.json.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.X509Certificates.dll.tmp	94cb2fe50ad199901eabb2f955bc5780N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94cb2fe50ad199901eabb2f955bc5780N.exe

C:\Users\Admin\AppData\Local\Temp\94cb2fe50ad199901eabb2f955bc5780N.exe
"C:\Users\Admin\AppData\Local\Temp\94cb2fe50ad199901eabb2f955bc5780N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
74KB

MD5
9c34ee4aa8f5a8f952cc803b1add40c4

SHA1
c6e0d577eca119239252cf51ba86ced6b9135c85

SHA256
8e9871d4774d50bcb8f0b8354a4210fb6ca474d39f0ac084eff06b1c3afcd037

SHA512
477280ac1683a0b3563aeca45b78715093c69f62588462d67bdcd9e2933ca24ddf9fe641cd4dba8ebd46474a274e42a08f7af834742d606ccc849237310f67e7

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
173KB

MD5
920251a00724934efe2140abfd5ef507

SHA1
79eb453662fbc597a3b74f5a4116d03d343c965b

SHA256
ec57c1eed3863bb519980afa430e5f12f638de3bd73f814f9686def0b1736d7f

SHA512
70bc84df1406f0e1f34a78cf9fc6b255495fa8bfe9f4e26bff28d4598694981ff33e20f037e5ead1cedb6c1fd5ce7957b8d1c84ece7a49b6d53ec8b843295e5b

Download Submit