6be079842c4d98182f245f4ac6844b620902fd5288d4548e3d17290aaa3fd818

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 23:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

393e173077981d7630051ce844119720N.exe
Size

128KB
MD5

393e173077981d7630051ce844119720
SHA1

3f447876c7828db3c77b05d5b032374e9a5a207f
SHA256

6be079842c4d98182f245f4ac6844b620902fd5288d4548e3d17290aaa3fd818
SHA512

b492d6d8cb1be1361506fd1ab89c47cc1cfcdef926c7b49948a22abdb543d40efd2e87ba13626d77058eb17ed9159dd176b1d3a2cbe243ba565d9f48d35d5306
SSDEEP

3072:6e7WpHIyRF9ESWu0SWujKsKRsP9fVL9ilCvLYCCk:RqlIyFESWu0SWu86jYlktz

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4290) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.DirectoryServices.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationUI.resources.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\GrantWatch.tif.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Java\jre-1.8\lib\classlist.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Primitives.resources.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ValueTuple.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Localytics.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Tar.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Primitives.resources.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Presentation.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationProvider.resources.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\wpfgfx_cor3.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationProvider.resources.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.tmp	393e173077981d7630051ce844119720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp	393e173077981d7630051ce844119720N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	393e173077981d7630051ce844119720N.exe

C:\Users\Admin\AppData\Local\Temp\393e173077981d7630051ce844119720N.exe
"C:\Users\Admin\AppData\Local\Temp\393e173077981d7630051ce844119720N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
129KB

MD5
34bf6bb5805570501de398d22ff6f2cc

SHA1
d22e7d06e23410919988c8addfee1969beee7442

SHA256
1a76605ba8278dba429d9440b722d4ad8663baa4310b77808dd7788eaf4fb27a

SHA512
ad20cc1f4fc0a816f074345e33f5219abec4ba0098e08f75e6657afca85749edb96cbdac452490beda1946a762cc0fdb09bcb8ac7e1b914781d0930ae49d4c27

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
227KB

MD5
e143979f28a0ffaaaa2913502a6efd29

SHA1
5a63b0a16b22766c89e2f106f6f0a6c91730e0d1

SHA256
59039f7fcdc6df74bfa229a3d1ccc0cbe71f75d830c1ac4074576f9aa230c547

SHA512
d486797b11f46111bfe4ccd84bd2fba878b4bb940276747adbb198531480e0bdd0916adc1d1b1180393c7c457d6f5483bb4bc8234aa7ffa077f29bbacb509a8f

Download Submit