6133bfea98a3d75911f9d48f48a29a2b25405fcd797586c6e0c4fdd31f3660a7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 14:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

061937697a66b02175335f3ea59235c0N.exe
Size

38KB
MD5

061937697a66b02175335f3ea59235c0
SHA1

674e8084f8c06bc9a4c30954779116112df14324
SHA256

6133bfea98a3d75911f9d48f48a29a2b25405fcd797586c6e0c4fdd31f3660a7
SHA512

3ed8442c0d9a79be8f5027ffc41a75d797e21b0304312afb68b3146cc4ccf1fa91f7f226f18824770764aaabf59956592d11c7471a79a44c1a731261e407de1c
SSDEEP

768:/7BlpQpARFbhNIrYcUYcntAKJxxetAKJxxG:/7ZQpApwYcUYcx

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4918) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationTypes.resources.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationCore.resources.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ul-oob.xrm-ms.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemCore.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Specialized.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicuuc58_64.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationCore.resources.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationCore.resources.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsBase.resources.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationCore.resources.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Design.resources.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoBeta.png.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\netstandard.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Input.Manipulations.resources.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClient.resources.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Input.Manipulations.resources.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.config.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Asn1.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp	061937697a66b02175335f3ea59235c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-oob.xrm-ms.tmp	061937697a66b02175335f3ea59235c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	061937697a66b02175335f3ea59235c0N.exe

C:\Users\Admin\AppData\Local\Temp\061937697a66b02175335f3ea59235c0N.exe
"C:\Users\Admin\AppData\Local\Temp\061937697a66b02175335f3ea59235c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
39KB

MD5
3fe0bea3f2da4c1e63210aff3db48783

SHA1
c28df4b80bc516f31f3f32f85d71a646aa8b03e0

SHA256
9a761813aef9925aa495d97058187ec9201855720f467eb8a19e47e2a4b79696

SHA512
359f70faebb2c7685d34fa3746fe1f9efa7ecfd44b0f1033becdc46af55052c08b9150220a96241376bc80a39bd1c2c0232b96215060e74300aafb9a7d68a4cc

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
137KB

MD5
22a8cbf1c1c246939ce5ddf3273105e2

SHA1
40da0b5a3b216e178c5211f2c3c74bdbcc3f0db4

SHA256
62fdda1c41b9a5025abb2e91ea90d312831188505d92dbd87586a0cba2abf198

SHA512
f26a17d3b8bd846e20877a3e5ea15d5e2f39b08c61a8807b828d00b5ef5b425393e77d6dbdd8dc18a05eba632da8989fa007fadb78992b69fc9fa36e1efef085

Download Submit
memory/4936-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4936-842-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download