1a47b1adc04ddbb9e5e2104298b8337b69d0f9ca15cf19de86899659076c416b

Analysis

max time kernel
119s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f94740dd5b82c2b85cf5bb36609c2e90N.exe
Size

85KB
MD5

f94740dd5b82c2b85cf5bb36609c2e90
SHA1

b7a9e2aa791027a1b6d93b46307062dd7a67a46f
SHA256

1a47b1adc04ddbb9e5e2104298b8337b69d0f9ca15cf19de86899659076c416b
SHA512

a8c2c5fbd525d33451c69049582d2a1dad8b76226858a4bcf4ca6d3cef809c326349f5fb17f63385a8bbd15c13e873b12796d79cfd22e5558da18fd55b491a9a
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEh7:6pWpUFpEhLfyBtPf50FWkFpPDze/qFs+

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4626) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Design.resources.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationProvider.resources.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\BI-Report.png.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-memory-l1-1-0.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\csi.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Java\jre-1.8\lib\flavormap.properties.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\ReachFramework.resources.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-180.png.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Crashpad\settings.dat.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\ReachFramework.resources.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\flat_officeFontsPreview.ttf.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\AddTest.mpv2.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsFormsIntegration.resources.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\GroupSuspend.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ru.pak.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dcpr.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.TypeExtensions.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCINTL.DLL.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-oob.xrm-ms.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Primitives.resources.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	f94740dd5b82c2b85cf5bb36609c2e90N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f94740dd5b82c2b85cf5bb36609c2e90N.exe

C:\Users\Admin\AppData\Local\Temp\f94740dd5b82c2b85cf5bb36609c2e90N.exe
"C:\Users\Admin\AppData\Local\Temp\f94740dd5b82c2b85cf5bb36609c2e90N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
85KB

MD5
3ff2ab3956295b5b6245222050ba1620

SHA1
9cbbd2dbde64df2dbd433a6c2406f803ce48c4a1

SHA256
d79bcc6afb013b480a55fc366eacc46862f4cfade4b07bbc3e3c56763497db47

SHA512
90765bc6e70e9822c38bf9eab8f5d22ac999a569946c34062972e9c3483e861ae7cb82ed7c9767578b56dea838f7c503aeb857b9702a511785de9c9d2e2e72d0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
184KB

MD5
acc0ac1f3cc8500568e8c4a730a33b4b

SHA1
706cf3564b613d642817486128c05a402b6e3bba

SHA256
0977ddef033866cb33f775c680ad0655697f7508b9084dd0969edd976aef3adf

SHA512
8ba62fb4ceca6c429c50549f7ae9fcb47ca25f2049d46ca66effdc0b951f9e1fde7a49f247688c95db3f753f5297a58f59a03224baad8148570d67c593c5ef0e

Download Submit