9cd264c15fb5ae80b215199204f4108b3f864ebe01048a4fb7bddce56f3d4800

Analysis

max time kernel
120s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
Size

44KB
MD5

4c28984c7c1e0c6cecd7ba3d8da91dc0
SHA1

1d50162ba940008ac9ccaa9f80a99b1e21205a31
SHA256

9cd264c15fb5ae80b215199204f4108b3f864ebe01048a4fb7bddce56f3d4800
SHA512

0735dad40848b61fa0592676b0239cc96646de9f0baef20fcfbebf166384061acf98c8efa5f15c9ce923b9445799d93ba92159e1b45fd3f45c3afbb475d2908b
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFXpK5c52:W7ZppApBULcfpHLcfpyDA6M

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4674) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\ReachFramework.resources.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\npt.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\freebxml.md.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Immutable.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-ms.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SLINTL.DLL.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-ms.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.Json.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationFramework.resources.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsBase.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.CoreLib.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationCore.resources.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_upe_sdk.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationTypes.resources.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TextWriterTraceListener.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero2.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Common Files\System\ado\msader15.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.AeroLite.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Handles.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ValueTuple.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationUI.resources.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.tmp	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe

C:\Users\Admin\AppData\Local\Temp\4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe
"C:\Users\Admin\AppData\Local\Temp\4c28984c7c1e0c6cecd7ba3d8da91dc0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
45KB

MD5
46a8bb5605ca675054fef4bfaabf5849

SHA1
7799da89d3cf24973e30caff28a2b8bec63fa4e8

SHA256
47a9cd993bc331641cb3434d35322516173dd83c9d20675fc306045bf6675d9a

SHA512
a4f4201f03fac975c9a65e0f1541079301c0ed9706fbf5e805ef52c5f6f85c3ea3f7c6779de34a50d0252a77ba2c6b685abaa31b9434ab16f33a89b6de1eff39

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
4ad43f81ca9395bd698b413537f313d2

SHA1
007fc3691184957527feb056ac3c9c03cf802d02

SHA256
777f7bb9b4f3089af65e98c411dd1b3f6cb2d972a420f16c40633f2af4f51dc7

SHA512
318db8edae174bdb5a107ab897e22e3dc68ab286bb3a5fd588d51b541bcab69c3e374e2e249492cb90ca0d86c20f506f63d758a62f5492f1e0d8433e8fd506cf

Download Submit