708c73c89c2335a8e4986b78ffd67ba787b991b009f24e131b4f6c7ff39b72ff

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97c1af83f2df07c7c44924ff143926d0N.exe
Size

35KB
MD5

97c1af83f2df07c7c44924ff143926d0
SHA1

e2ef8dda62e2b374466d8d0c092c1b3b5014640a
SHA256

708c73c89c2335a8e4986b78ffd67ba787b991b009f24e131b4f6c7ff39b72ff
SHA512

67a60c8680beb33a419b4746f3fa5cc2401d9f254f824a443c456aa506050c62a9c9ed695017ee4666abd560cb318b604c030f2399b4da5392f50b9cb702285f
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5lNra:W7ZhA7pApM21LOA1LOl6ira

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4656) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Timer.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Metadata.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\VVIEWRES.DLL.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Crashpad\metadata.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jli.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero2.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mfc140u.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-localization-l1-2-0.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.MemoryMappedFiles.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsBase.resources.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\sRGB.pf.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-ms.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.CoreLib.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceProcess.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms.tmp	97c1af83f2df07c7c44924ff143926d0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	97c1af83f2df07c7c44924ff143926d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97c1af83f2df07c7c44924ff143926d0N.exe

C:\Users\Admin\AppData\Local\Temp\97c1af83f2df07c7c44924ff143926d0N.exe
"C:\Users\Admin\AppData\Local\Temp\97c1af83f2df07c7c44924ff143926d0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
35KB

MD5
9a6d5b894a4671483bde7acb38febe6a

SHA1
d07a5c43f6044d224ab50f1be0055cfdc615d19f

SHA256
a014e0137b79bfd00634b4fc51c1df0f1c2314645ce5265e6779c399c90d04dd

SHA512
1078d9c882d9e8a7838a94014f2c65c751a247b2d339136ec9ce88860b00e45269627911228724929072f138288da8632eb2f34a60f19a7abcaf39ecbf45f26b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
134KB

MD5
4b278996e329484f7e94514c78e141c6

SHA1
8dcd97698fa49b3c04c051387549724ca8618e63

SHA256
f2d72224ba7ef65a4c20493fba80d917388a1e6523727e3b66883025c792037b

SHA512
6fbdb9e720d80dba88fab4a59dfe7bc1ef22d25088f20f58f9a87bc9f9ab9812e4086849b9d611c11c7e1187dcc303812e35cbcdd9bfc98774f193ef22a7814b

Download Submit