9267fc0f6621cc7c77d7df0003a1b8f7c8a023f654fe1052d87d06568db75198

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 03:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

68fd616168231fb5d2be288934981860N.exe
Size

36KB
MD5

68fd616168231fb5d2be288934981860
SHA1

e4145d9d3a322e4a1f334a4282b33765ec3f22c3
SHA256

9267fc0f6621cc7c77d7df0003a1b8f7c8a023f654fe1052d87d06568db75198
SHA512

71cdb822f6ff6a01ce3f873eae75495d3acd1b60c6c6cf0c14d3ac8630f64751f5161b343dbc578b9626225ae4229450668f3a8c3b0f88a216306c052fd26b4f
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHA9jxje6OMmy6OMmltn:yBs7Br5xjL8AgA71Fbhv/Fzzwz0iQ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4646) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ppd.xrm-ms.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.ResourceManager.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Dataflow.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\msipc.dll.mui.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\misc.exe.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\meta-index.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Common.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\ReachFramework.resources.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.Messages.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2ssv.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Java\jdk-1.8\jvisualvm.txt.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Input.Manipulations.resources.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Xaml.resources.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Input.Manipulations.resources.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.Interop.Excel.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Requests.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCINTL.DLL.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Tar.dll.tmp	68fd616168231fb5d2be288934981860N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll.tmp	68fd616168231fb5d2be288934981860N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68fd616168231fb5d2be288934981860N.exe

C:\Users\Admin\AppData\Local\Temp\68fd616168231fb5d2be288934981860N.exe
"C:\Users\Admin\AppData\Local\Temp\68fd616168231fb5d2be288934981860N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
36KB

MD5
2c3e3229b22cb5fc871248a91ebe0d8c

SHA1
8c8e4f2c3a1d1803b8e54df7f953d26c3fd3c248

SHA256
a4686061bdcfc55594a1fd0c7be249873e8d71b7766374f8d8833bb7f4870223

SHA512
68dce0584dff27eed34503270f722e72eb3970d1ce0510af9692941dd21f47ccfdedf84a5bae3862114f8cf38e6e3095dddb398dd92d556ef9ad23b12168985f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
135KB

MD5
96f7a0e99de3116ca2ee1b63b3bcf64a

SHA1
aab8c4987dfb14a7563eed006f01bc9810164667

SHA256
146a3577c704b38c3f53e1587633267775281f9d8ba586fc132c564de101bbcd

SHA512
1a1e19f1ce4d190d6a846a13c85710e8c5123fd9aedc75520f465b5969a1d543ab16c8e5b1879b80376e09c09cd383b06d08ef54c95fc116533a277bb22f4125

Download Submit
memory/1692-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1692-862-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download