d9b40250326c8e4c7a1e09ee1e1bdc92c6b46af9cc7b4a4b61082797b121014f

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

913fbd82521cb795034fdc3f1fcfb3b0N.exe
Size

82KB
MD5

913fbd82521cb795034fdc3f1fcfb3b0
SHA1

9e28d0f63318e4efb11bc17e66c5a360bcde06a9
SHA256

d9b40250326c8e4c7a1e09ee1e1bdc92c6b46af9cc7b4a4b61082797b121014f
SHA512

35b3665b5111d5fb29e8b60f86deaebb7ea434d8fd96cd5130c1d04658d047cb393245dc2e9a8e93c460531768c1643d5ff93185197ae22961a84049a04087e0
SSDEEP

768:W7BlphA7pARFbhXJOYLCqh86ICqh86++c+HmSu:W7ZhA7pApXTdsdYSu

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4322) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.CodeDom.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\sRGB.pf.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsBase.resources.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClient.resources.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Input.Manipulations.resources.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems32.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\preloaded_data.pb.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Internet Explorer\uk-UA\iexplore.exe.mui.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ppd.xrm-ms.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\colorimaging.md.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\D3DCompiler_47_cor3.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Design.resources.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationCore.resources.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Linq.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\javaws.jar.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ppd.xrm-ms.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzdb.dat.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.FileVersionInfo.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-ms.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Resources.Extensions.dll.tmp	913fbd82521cb795034fdc3f1fcfb3b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	913fbd82521cb795034fdc3f1fcfb3b0N.exe

C:\Users\Admin\AppData\Local\Temp\913fbd82521cb795034fdc3f1fcfb3b0N.exe
"C:\Users\Admin\AppData\Local\Temp\913fbd82521cb795034fdc3f1fcfb3b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
83KB

MD5
fa4faa9167d4c56c9e810e6d14970615

SHA1
e0297521f4a6c74b62c75f2c5ad80a49ae4e02f9

SHA256
d7b44ed3cbe682dc5853aaaf80a7fa8de5136ff5b132148490e408a291395ef2

SHA512
2e53e9674fd95b000aa07dc62165e634ca337b8e00e83b567dbe11f9626500802a20661888dc3a15aaf9d6cd9195860e5bb9616c82b71ae09eb5c35d198df36c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
181KB

MD5
b30c375e4df74e5db01a9f8d9d427ec6

SHA1
b1bb8eda8b715d026cbd713bba97e173a76f2178

SHA256
54cb7e4ab676f1e6bb14e57e706d6721d84f4a4bff8457c74bd478e009eccdcd

SHA512
b9ebe2297e2fa032c16e0e0a8f6f5e6c3d8dc3eeee76ab1f28b44d854edda9a2ab2e5c8b3dc313c1ea31354e817386fd2676976dd08518a12e3b60443a3f8346

Download Submit