9febd5dbe23fb899af9e19a757af43906ec7f1564da8c407746e18132e1ad641

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84145954697a6dc2f5d20490374cb220N.exe
Size

62KB
MD5

84145954697a6dc2f5d20490374cb220
SHA1

f067aecf27b8dd9ad62c643b325de5cc0ca585f2
SHA256

9febd5dbe23fb899af9e19a757af43906ec7f1564da8c407746e18132e1ad641
SHA512

29580b3e3db2125274162076ff416a0a4950ad20ab1975a58a83abb89ffcda139529630e1b52798c5dd223697a3b127377865687eb60fd6d5ab3a6406538afa1
SSDEEP

768:W7BlpNLpARFbhblkYlkuvIYFdqRHR0UkU1o5fOiJu6OiJfo5fOiJu6OiJiPjBvXC:W7ZNLpApCZuvIYXqRHRiePertvXtv4

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4652) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationTypes.resources.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NameResolution.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Input.Manipulations.resources.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-synch-l1-2-0.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\ReachFramework.resources.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Java\jre-1.8\lib\content-types.properties.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBPROXY.DLL.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.HttpListener.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Input.Manipulations.resources.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.AccessControl.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Windows.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Java\jdk-1.8\README.html.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\libeay32.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationUI.resources.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationTypes.resources.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Accessibility.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Primitives.resources.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp	84145954697a6dc2f5d20490374cb220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.tmp	84145954697a6dc2f5d20490374cb220N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84145954697a6dc2f5d20490374cb220N.exe

C:\Users\Admin\AppData\Local\Temp\84145954697a6dc2f5d20490374cb220N.exe
"C:\Users\Admin\AppData\Local\Temp\84145954697a6dc2f5d20490374cb220N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
62KB

MD5
097fc6eda7aa0a8bc1c77e159af9505a

SHA1
b79972e311d3f0741647ad1f3acc3b13f410463a

SHA256
e8a31a3ed1d95a601ada212e1791fc30f23a5ae402179ff8e1bd009ad0631545

SHA512
f4142ce6d7d2d063ef0da1ae6aef3cb80aaa09d514b3f7362ff3b2d0e72147939d5234459302a5826ceee1a75a74944fadb767943c68b043d361c77f41fe9019

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
161KB

MD5
6a0534c636f20ea87f42064aba9bfa4f

SHA1
365e16c717b1531873aff5df6c94fe3879e17d79

SHA256
ae625e302dc852ca8bf96a69bf649ae9b6b268c86b7ad0e9ea06660f6a709726

SHA512
6cb832b1b9f5cb1d6598aa1b9281a7aaf9d9f57b8f328b28cd18181fb7f5020f09b1ffb95a3c05eaea7234c10a313fbb6a8c7dba6432f677f3e506e0b982136b

Download Submit