a3d6e41d15a96e85fb1997ff487d1e9aa6293deb347fcc52171d20783cf58fff

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b9d09d2a356672f59835781c48c68f0N.exe
Size

71KB
MD5

0b9d09d2a356672f59835781c48c68f0
SHA1

e726a33878d63446912e7d9b20583f20099fa986
SHA256

a3d6e41d15a96e85fb1997ff487d1e9aa6293deb347fcc52171d20783cf58fff
SHA512

c954df7895438c62ef1af84317a3875f5d0c7c5bf9066731c5c8c2d86610b687abd2d31055b4fbf3e94dbdb4dd5cebcd8a2c50960dceadaf5fe3fffc9771ca36
SSDEEP

1536:W7ZppApwEwnmJARJAaXxXNJdkCKPuJdkCKPFauae:6pWpUnDXxXG

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5044) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ul-oob.xrm-ms.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AdeModule.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.DLL.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\optimization_guide_internal.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Xaml.resources.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO0127.ACL.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VVIEWDWG.DLL.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationFramework.resources.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN011.XML.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\ReachFramework.resources.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationCore.resources.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\manifest.xml.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\GRAY.pf.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Input.Manipulations.resources.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\instrument.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sawindbg.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.resources.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-ms.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.ServicePoint.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.exe.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\BlockFind.asp.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png.tmp	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	0b9d09d2a356672f59835781c48c68f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClient.dll.tmp	0b9d09d2a356672f59835781c48c68f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b9d09d2a356672f59835781c48c68f0N.exe

C:\Users\Admin\AppData\Local\Temp\0b9d09d2a356672f59835781c48c68f0N.exe
"C:\Users\Admin\AppData\Local\Temp\0b9d09d2a356672f59835781c48c68f0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
71KB

MD5
a9677178b7b90e23482ee9e45f966700

SHA1
77a3615832cd8c2fbf76c3828782f956622688cf

SHA256
95267b939453491e12e17ac4a4f31366b3b307b7479035689d079e95f1744fe6

SHA512
56694f1ee8c8a85d1c0756472a10b216d388132f751d7de2478809cbaa13cd64a7b9bec13bebf89f3b5ef98331f8959c4f625890999766f538972322aa6d4840

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
170KB

MD5
189051a15484d1aff5004909b424f17c

SHA1
66d2d3b1a0cfdd86c1cb1af388002158b4bba548

SHA256
91ac8415bfabeacf553c17f264c99098d72377522a427fc4b74700400f542763

SHA512
8aed0d6d6dd03ebebc0695fe136c044c90a8daec6d00d83f5c856e22e3f593afb7cb0d1169e2663e75ecf04569a00a1795db60360a36f59f509c4b0538890be3

Download Submit