8c4f18e685e6d4d3f4b6882478e2eaf31857b5b162f735926ab1017d8cf36c36

Analysis

max time kernel
120s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 10:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6d3b21db4f2f95373aefb4f1ff2763e0N.exe
Size

51KB
MD5

6d3b21db4f2f95373aefb4f1ff2763e0
SHA1

a75aa70e5f45258ec992c736987f489bc5c6fb50
SHA256

8c4f18e685e6d4d3f4b6882478e2eaf31857b5b162f735926ab1017d8cf36c36
SHA512

c76f5f22df703f47a5d29fd14a806da77e882376d916ae3682d2f4cf4d4ca6db08b446997efc90fbafbc1f76cc1509e53a06c0163f981e61efb14a89008b7d4f
SSDEEP

768:W7Blp2sspARFbhVgNNHpQRNHpQR1TQbzjrY/+TQbzjrY/J:W7Z2sspApctpQRtpQRO

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4628) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-private-l1-1-0.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encodings.Web.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Primitives.resources.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-runtime-l1-1-0.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\ConvertToRevoke.7z.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Xaml.resources.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_fr.dub.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management-agent.jar.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Primitives.resources.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ul-oob.xrm-ms.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\ReachFramework.resources.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\msipc.dll.mui.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NetworkInformation.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Xaml.resources.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Xaml.resources.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.Json.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-xstate-l2-1-0.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Json.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll.tmp	6d3b21db4f2f95373aefb4f1ff2763e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d3b21db4f2f95373aefb4f1ff2763e0N.exe

C:\Users\Admin\AppData\Local\Temp\6d3b21db4f2f95373aefb4f1ff2763e0N.exe
"C:\Users\Admin\AppData\Local\Temp\6d3b21db4f2f95373aefb4f1ff2763e0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
51KB

MD5
39e95c69d6bb455579c5cc54603ab606

SHA1
596e7b3138726aa0136862f7140b8ff630f30312

SHA256
ff1924e0c2f37fef0ab20f14935c7438af06ab9c787c55e1331f208aad845ec1

SHA512
96d15bfa679adc5f4386d78aba969491409a480b0f136e79c192e70bc3ae8124591f300317c898c69b83fd4cf55115b32e1062b3b75619b2ce6762b86c170bca

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
150KB

MD5
88a4f933e90b699f6fb8636d5058dbb8

SHA1
e7185a94091d67c63e6bf98b94f2541e60a5fd39

SHA256
f5c25c74b90686e5459106f37cb8494fcd057168eddc7dd7d0413da1e707d8be

SHA512
c01d73b28acecceac6394846e808cf9c0af46e5120d3ad5747f9a2f9f1df9e0f816ce3a96f4376c221535ae6d094b0e7b135f1eea7b74510e5d1bb3571fc4d0d

Download Submit