8d478a9a325d2a620e621e2aa1fcb981b7ee923a8aaa1e86f84335e22d75d3e4

Analysis

max time kernel
119s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9ed950631e9480e488459b2f5a515e0N.exe
Size

46KB
MD5

f9ed950631e9480e488459b2f5a515e0
SHA1

3925fb3a2bb4211b32d04ff9432911c898356980
SHA256

8d478a9a325d2a620e621e2aa1fcb981b7ee923a8aaa1e86f84335e22d75d3e4
SHA512

de03980a5eb06038115347ed5fa827384fad8f0aba3398662bd84a6caf9e8769335b118a1240a2b895dda3b159f17634c28633987e12e1d24e2a69fef88cc2a7
SSDEEP

768:W7BlpppARFbhHFoqAJwBqAJwNqikTqikkvPVvP6:W7ZppApyqikTqikn

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4659) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Primitives.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsBase.resources.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-pl.xrm-ms.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSVG.DLL.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2iexp.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\msipc.dll.mui.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\el.pak.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.resources.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.exe.sig.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.Registry.AccessControl.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClient.resources.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_fr.dub.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Common Files\System\ado\msader15.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Extensions.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Dataflow.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Input.Manipulations.resources.dll.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fr.pak.tmp	f9ed950631e9480e488459b2f5a515e0N.exe
File created	C:\Program Files\GrantBlock.wma.tmp	f9ed950631e9480e488459b2f5a515e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9ed950631e9480e488459b2f5a515e0N.exe

C:\Users\Admin\AppData\Local\Temp\f9ed950631e9480e488459b2f5a515e0N.exe
"C:\Users\Admin\AppData\Local\Temp\f9ed950631e9480e488459b2f5a515e0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
46KB

MD5
e6c8e3efb32f9397feeafcf89b362db3

SHA1
e4753589aab27510a229ee2da474b61566be38ce

SHA256
3f1a063507f3b4675022dc543d22cea6b60a8cddf4ab06299d64fbb8956c0563

SHA512
f1fc69ba57595466515c8b23f30923e75de3d1277e2c719a86c88467712434ce4ae0746d99e8d02264e1fd1bbba8f73cc298a4aae82a36a84e57803cf4b6fed9

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
145KB

MD5
98fa8deb16733695cea17c532892d790

SHA1
b01278d11206b935ccfbbaa0e465a685542dc1f3

SHA256
46695eb1b0a1c88b5e37f30ef96997edee61d105f603a5a4626bb5bfa7b019f3

SHA512
72b4bb0c611bf80bff240a380aa80e8c80f0879b2d7a7ee87cd38f3c8b013b5f073febfd80288158603d356b93f775a103b9b4191ec5665f2743011881945395

Download Submit