cd195c40cbf6454dd46f134b96de99b2005037ffa613e4f8c4e046c07e143c69

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93381c8e3ab6ed86f391f8f7ce36ca00N.exe
Size

82KB
MD5

93381c8e3ab6ed86f391f8f7ce36ca00
SHA1

5ebc32958c62faacd93df2852eb03bf2f4bf33f1
SHA256

cd195c40cbf6454dd46f134b96de99b2005037ffa613e4f8c4e046c07e143c69
SHA512

339b06285a6519033f79c84eef7a5b3332eace244d1062a19ff24a328911589d0d820aeae6419a7e1c93f754656c76e7c46ce71e86dbd172a41b9d9085f73d62
SSDEEP

1536:p7ZhA7dAp1++PJHJXA/OsIZfzc3/Q8Ue+bCeIDgDK:Te76WQSotbCeIDgDK

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4647) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\sRGB.pf.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\Welcome.html.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.Messages.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-oob.xrm-ms.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Diagnostics.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Common.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fa.pak.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Brotli.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClient.resources.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdClient.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorrc.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Xaml.resources.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\mr.pak.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-phn.xrm-ms.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_K_COL.HXK.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-ms.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Security.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Annotations.dll.tmp	93381c8e3ab6ed86f391f8f7ce36ca00N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93381c8e3ab6ed86f391f8f7ce36ca00N.exe

C:\Users\Admin\AppData\Local\Temp\93381c8e3ab6ed86f391f8f7ce36ca00N.exe
"C:\Users\Admin\AppData\Local\Temp\93381c8e3ab6ed86f391f8f7ce36ca00N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
82KB

MD5
597c9add0fbe46575437a03ca1541a09

SHA1
24e5d3765628eeaba92d747287d4120b2d172cba

SHA256
5db389b3759081dd5dc258c2fd2527f4eb1357def924ca27e5d908965ea5966f

SHA512
18f449ddf3bf3d61349562de8f324fa7b1c09405a2834de7b2d16c5dc01ab2ecdbce3dddb1b353698462e394f33392e50491dabb9e8832033236d54d7bc10bca

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
181KB

MD5
45d172653836836432ddf87facb34bab

SHA1
6402fc18be85fb6bc8dc2f4fb6bc262abcf1f1a0

SHA256
e3d50ad269bbeabe6bf869c5b59773223fde80bd01c498cff1308eea6c2dc85a

SHA512
47cf7946ee9cfbfc08a5595f4a6c3d5e892837ca00c3697f040f01babb8d850cdfa66eabd1ab6828170d6d640965f3843a056e27a67f59dccd99d6d2781b1611

Download Submit