9513be314bb3d7cec19a460b8b551d00b1ae7030706cf66462d8527c8ed91181

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61ec757278070446c10acd56270cfd70N.exe
Size

48KB
MD5

61ec757278070446c10acd56270cfd70
SHA1

7c28739316ac93c172d03665ea77e43a747e7c69
SHA256

9513be314bb3d7cec19a460b8b551d00b1ae7030706cf66462d8527c8ed91181
SHA512

2e81fa859c763405420a649a886da0e946a1df989683e6714fdf29f9972b4694a8c6ae1c4dca8681ae4371b873033e7ecfcab593a5d56be14444c46c1d51ce1c
SSDEEP

384:GBt7Br5xjL9A7AgA71FbhvnIH2YsTKnKqtaW3W4:W7BlphA7pARFbhvOsTKnKqtJ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4368) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationUI.resources.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Parallel.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-ms.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClient.resources.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\da.pak.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader_icd.json.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Java\jre-1.8\lib\net.properties.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-ms.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.resources.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ko.pak.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorlib.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationUI.dll.tmp	61ec757278070446c10acd56270cfd70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	61ec757278070446c10acd56270cfd70N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61ec757278070446c10acd56270cfd70N.exe

C:\Users\Admin\AppData\Local\Temp\61ec757278070446c10acd56270cfd70N.exe
"C:\Users\Admin\AppData\Local\Temp\61ec757278070446c10acd56270cfd70N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3996,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:8
1⤵
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
49KB

MD5
0f43b13b246e93ff26af231275362ec3

SHA1
6dcd37d77b0a32e14b1a63b52a54c502f72df5e2

SHA256
05fc909e5ca691c4cf174d54286fd76b11772ca4103f3e0a9a78fe8da86b85ad

SHA512
6752d172bc6e3e8aba34ae97dae641130da635eea5256fa0f525778c340c5de19f4f789283fdefd8b87bd9b3b2ba4e9b8dc5dceca8d282af1ca2e27f80075e33

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
161KB

MD5
c6d9f690f6a44851d4ecf82ccef1ddc1

SHA1
9d585910798fa9b8174011acd48caf1730887cf1

SHA256
f3ff0ceabf4ad915545a3fd4b8b1750ba383dfc65333222e4ef1233893e655e3

SHA512
03cd9ffe1b15fa34eb46052e03b30d7e743f167f0de4f005fc122305fa41b821652c80d0ba0909713a0d247ba67c462d854ae22c252df6dc50ada49c4b28940b

Download Submit