e3b0e599efcc9fae651cc7094fd5e4277eed1fb802dfa2c9a3140ad4a853e1e9

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d900b2cfc3a08942edc562e0b79a0c0N.exe
Size

42KB
MD5

9d900b2cfc3a08942edc562e0b79a0c0
SHA1

fc55f39a1e5b36c8de26fe3162fd8fdc5daf38de
SHA256

e3b0e599efcc9fae651cc7094fd5e4277eed1fb802dfa2c9a3140ad4a853e1e9
SHA512

70a156d830b3b5f52505a3ebdfad331860d651be1ad7ca4c3468f7753319e35f65979c6e22e78927106f9698bfff491592d9cb503a29088806768430dbac89d3
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/FzzwzfgQemyq8gCgQemyq8gF:/7BlpQpARFbhNIRyny8

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4655) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.Messages.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsdt.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Controls.Ribbon.resources.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Common.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.TypeExtensions.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemData.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\net.properties.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OCSCLIENTWIN32.DLL.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-pl.xrm-ms.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-ms.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.DataContractSerialization.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\ReachFramework.resources.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\id.pak.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART8.BDR.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\meta-index.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\mr.pak.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.CoreLib.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\Common Files\System\wab32.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.Common.dll.tmp	9d900b2cfc3a08942edc562e0b79a0c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d900b2cfc3a08942edc562e0b79a0c0N.exe

C:\Users\Admin\AppData\Local\Temp\9d900b2cfc3a08942edc562e0b79a0c0N.exe
"C:\Users\Admin\AppData\Local\Temp\9d900b2cfc3a08942edc562e0b79a0c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
42KB

MD5
aed21339475df9866133db4b0299e732

SHA1
7ba5b5ae3344cab2df3fda1b2fc0e6792693a644

SHA256
4fdc109f473eae370a652002795da126b7151431bf7c044f5fe37495e0653afd

SHA512
7bcc26db7810dd97b27ba4cf772167500ef3f2156a9fe6c88e16927a7562d364f5f4ccbc52ca12ee3725ac731ef0ef7d969acf7ae3bd87dd8120eb0b9dad6b50

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
141KB

MD5
0d71fbae53b87c36867cd4fc5b670af1

SHA1
538aff1f00605b927ce71351e6653e8d04fb84aa

SHA256
e04045cbd8a5acc5394875e200ac7892684bd140932e5f59091226d429b14428

SHA512
d6e95319f0557c453813b4eecda054571a43749ec02258a01f7292ad63dc73268a6f9d7c85c564b644d5c22ae21e9b13045c87a7c895eadbfaaad718b0a6f726

Download Submit
memory/404-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/404-940-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download