6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f

Analysis

max time kernel
150s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
Size

42KB
MD5

8e045a42e0d0b1b3df4739095df1ea52
SHA1

5900c92d6999fba6b58671a35ccfdc7f8e4c31c7
SHA256

6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f
SHA512

2bfc40324113bb135ade9161f5fb7c00eb8063294ce8d4c412bd8cc9f88297064efe5bf8303eb317965615cc890510682741fb08f666d814ff3c6078d1cc6cd6
SSDEEP

384:GBt7Br5xjL7lAgA71Fbhvt3e4S04SdHaQx+QxD/LuV2LuVa:W7Blp9pARFbhs101MQIQYLa

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5217) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PowerPointCombinedFloatieModel.bin.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Java\jre-1.8\Welcome.html.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\dynalink.md.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BREEZE.WAV.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages.png.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.TransformDataByExample.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\STSLIST.DLL.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationProvider.resources.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ITCKRIST.TTF.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationProvider.resources.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Design.resources.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\npdeployJava1.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8EN.LEX.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\FindApprove.search-ms.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ppd.xrm-ms.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe

C:\Users\Admin\AppData\Local\Temp\6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe
"C:\Users\Admin\AppData\Local\Temp\6e917518ef9f6438d82408ec71331623e8f6fda16688ad2812d782b009a0ee4f.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
42KB

MD5
e99a5970543485daa95b32bda185b58f

SHA1
60a6e04dc450efe9681c57b816c9390aab170c8d

SHA256
172fed043779d4bde8da023747922ae71f10b51377d6faac46136de46a2f1989

SHA512
067c83ff8004180fcf2b0b50057bd256e9610925d2073c4086d05d34c0d3f5a8348fcdf55f0fa83adf747c0c2c60863fdc99ac17b81673b0401b1cd3957e05ac

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
141KB

MD5
f6e2d499701a75a803c713ebd8906903

SHA1
0c6c5ad61e828d81e46eea95cf56b19e6b344d3e

SHA256
a3575cecafaf23e6629ea9d1d4fe4c5416f982ea9a23952a7086c6fd8ff12e46

SHA512
5f8d6cfeb602f25471f7c1d9493d56d20815b1df4ddb46c62f5e45fff16d94a7bf06c05d2e5aba9fdcaf4208ad794b9b6ac8dfc6a08f782ee90eea97c77a420c

Download Submit