3be0eb1c779ed1a9ef0ceee70837b8e77fa76818afed52ed553f63b280fe98ed

Analysis

max time kernel
120s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c75f2dd80233c4cb5dad217fb1fda90N.exe
Size

69KB
MD5

9c75f2dd80233c4cb5dad217fb1fda90
SHA1

88bca64934595d371412eff800ceb15f5a55c99f
SHA256

3be0eb1c779ed1a9ef0ceee70837b8e77fa76818afed52ed553f63b280fe98ed
SHA512

ddde2158d20beeef7feee033f79c216a717082a4d95034957ad19054bf03405ac1e18a40a60947431e481e7951af00a2f3d66c9c90133b3da7995ae11f240282
SSDEEP

768:W7BlpDpARFbhYQkQzaxkd+axkdo176/hvYaJaMGw4PCs2B24PCs2BHE4JAIAepE9:W7ZDpApYbVK4vx4PN54PN4OHepOHeZSV

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4351) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Xaml.resources.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DBGHELP.DLL.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Reader.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACL.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Threading.AccessControl.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsFormsIntegration.resources.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jce.jar.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Xaml.resources.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClient.resources.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.policy.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClientSideProviders.resources.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Xaml.resources.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationProvider.resources.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Java\jdk-1.8\javafx-src.zip.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Claims.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Linq.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Writer.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.CoreLib.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\cldrdata.jar.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationCore.resources.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-ms.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.tmp	9c75f2dd80233c4cb5dad217fb1fda90N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c75f2dd80233c4cb5dad217fb1fda90N.exe

C:\Users\Admin\AppData\Local\Temp\9c75f2dd80233c4cb5dad217fb1fda90N.exe
"C:\Users\Admin\AppData\Local\Temp\9c75f2dd80233c4cb5dad217fb1fda90N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
69KB

MD5
512da9f717fc0f78e14bef3e1d9918f2

SHA1
f54d91960bd93bb48f1367c181121464334f5b65

SHA256
d37f26498f04c437863e430fefde64f1bad46663dc1b0699b427437e0c48e20a

SHA512
0ca09788b8676be1b86fce6c89280559c14134cb2c269e9f91f24c6ea33635f6d6078e016c6d09884949f4043c53a02fbf2abc6fcc42207beac69416ccc6cfba

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
168KB

MD5
e4bfb84e49e32eeebfedb77131a1b96a

SHA1
99e6e2e812f65d30a4738f90d524bed24e4555d2

SHA256
9fbbc65d2ec6572be41b0aa1c9a44471d749cb1b5c23723c02c60b7bccb0aa25

SHA512
82118e224ad400cb54ad2637e2696e7105c1964df97fd18048c80c5bd2a5e9dc67d1ef40860475d957fc3cc0609d52e667712233ce50410a548c3e4563e0c917

Download Submit