1ca874f0f1b6a451777e342b1376e64d84e2a6f794ce6a7401f05b52db57c067

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1908e6a381f4cb24aead7ab8f76567e0N.exe
Size

35KB
MD5

1908e6a381f4cb24aead7ab8f76567e0
SHA1

0e0f2399cb56797c04ec5fe281c6d605b7883a64
SHA256

1ca874f0f1b6a451777e342b1376e64d84e2a6f794ce6a7401f05b52db57c067
SHA512

1ba3cb4664ddb6bf72404838a1d67349a51c93bc06f22de890208eb449e7af163da117d7d6694e494a8773c84b6ea53670d146cfc4e5ac54c490cb661ed99d96
SSDEEP

384:GBt7Br5xjLfAgA71FbhvtPci1lnYOzlnYO5+vu+vn:W7BlpDpARFbhzbYONYOktP

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4640) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.exe.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.security.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.exe.sig.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Design.resources.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSVCP140_APP.DLL.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-pl.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.EventBasedAsync.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.resources.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemCore.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glib-lite.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1908e6a381f4cb24aead7ab8f76567e0N.exe

C:\Users\Admin\AppData\Local\Temp\1908e6a381f4cb24aead7ab8f76567e0N.exe
"C:\Users\Admin\AppData\Local\Temp\1908e6a381f4cb24aead7ab8f76567e0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
35KB

MD5
d34570116e2a504d6ebe18de7dbd7a6f

SHA1
d2f840489c5253a437e85ce192d8595eb3224849

SHA256
e5218471a79f60b93fc3467d1dad3c25f27b69fcfcfcbce7581e0f55f62a772b

SHA512
e39fd01f1291406417316cf3181f3f5e82aeab2b8f521555da23298acc47cb600aaa3af7c0f37e5632d6dddc5af5053eeb9a6b5309a4cf9c070291daf8679221

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
134KB

MD5
c3b9ea6c99b8a0971e4bc0d73fef2949

SHA1
0cf3b13984e57c50f8312071f079531cc5cfc321

SHA256
5972d344e65de0e9fc5b28c8e388f85e89c2e6ebcac5cb8408ff563f2b7fcb03

SHA512
ad67db1ed916bf62259cccc72df459e2e488ad0cdf782d67a7abd8a42b5a9b7c727967584b945b974b91dff41eefcefb7bcbb02c8bee48db1f0cf05115cd990b

Download Submit