78a2dbd752f0632e4f036e8d42b907b5738c561f602428b1eebea2813a48809e

Analysis

max time kernel
120s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59f9b9423fde2e4d0562aadee4f8b9d0N.exe
Size

55KB
MD5

59f9b9423fde2e4d0562aadee4f8b9d0
SHA1

2398aac23cace50963702e5ec83f0dfac4902e4f
SHA256

78a2dbd752f0632e4f036e8d42b907b5738c561f602428b1eebea2813a48809e
SHA512

cba0ca833b404d828b033eddc6e3fd9a5f11f1a75b5721de285f0e6bb4e776804c44cda95f144e593ee2d2fd967b351996881435098d40aad33515fb35e80e31
SSDEEP

768:/7BlpQpARFbh1WK9WKsE2BdMLBdMWN1J3DCl4N1J3DClF:/7ZQpApQKIKsEDkr

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4650) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ppd.xrm-ms.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClientSideProviders.resources.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l2-1-0.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java_crw_demo.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXT.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-xstate-l2-1-0.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIANEXT.DLL.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Intrinsics.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsBase.resources.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemData.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-ms.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ko.properties.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\vi.pak.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\MergeSwitch.dib.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-pl.xrm-ms.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\logging.properties.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationUI.resources.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\ReachFramework.resources.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash.gif.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER32.DLL.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar.tmp	59f9b9423fde2e4d0562aadee4f8b9d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59f9b9423fde2e4d0562aadee4f8b9d0N.exe

C:\Users\Admin\AppData\Local\Temp\59f9b9423fde2e4d0562aadee4f8b9d0N.exe
"C:\Users\Admin\AppData\Local\Temp\59f9b9423fde2e4d0562aadee4f8b9d0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
56KB

MD5
f64087d335653727f19127e032461d2f

SHA1
7ba842f3f60a82afb4b9b03f1782b233d457e35e

SHA256
9f7f159ba9de0f2dc02e49819d81d29f168ae44813de484cc09eead02fd61b18

SHA512
143a7093db8c357c96c472bfade1913fb86c2a4cd61eb3f87050153bf624b515c2461da8131547699a7c735c84e77cffe98a21693e145f6677222de18cf26156

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
154KB

MD5
d43e63d2d88e8e05d1405cfce704542e

SHA1
477577be325f075e8ce859bd59bc7f1007de44dc

SHA256
c11c46f4f997ef7f6b217fd88123d512cc6cb815ebb8ac48db65d274ff15e34b

SHA512
ebaea191d989d4c655514a6579d1498741107d083a17dc565b606f78338007030a78159862789cea992a0ccb92ff430aaba3c172b6580b6115a1f85a4701fe02

Download Submit
memory/4560-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4560-928-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download