1768d7052001d46cc9d36a048fd606511bae61bf5cc534faaea71864310e35d6

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93ce69d63e3b23da1eed057fd75e91f0N.exe
Size

52KB
MD5

93ce69d63e3b23da1eed057fd75e91f0
SHA1

beead8f10a2f3104ed9cdbd2e188c4ed1df5634e
SHA256

1768d7052001d46cc9d36a048fd606511bae61bf5cc534faaea71864310e35d6
SHA512

6d3c6ae1fe4f44c63c14a72878806f30869be28fa993ddc46fa98dd2bcef9fb4f6828b6810f460b8ae01384d32644e7b45a64aa3aa2f876448f59ac1438b00db
SSDEEP

768:W7BlphA7pARFbhM0KW2s9B4b09Xgd7jylZqzps:W7ZhA7pApMaxB4b0CYV

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4383) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Xaml.resources.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\cacerts.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\snmp.acl.template.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClient.resources.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy.jar.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationUI.resources.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SLINTL.DLL.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\concrt140.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieTextModel.bin.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\Office16\SLERROR.XML.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Input.Manipulations.resources.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Design.resources.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\MeasureBlock.dot.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Contracts.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Input.Manipulations.dll.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp	93ce69d63e3b23da1eed057fd75e91f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93ce69d63e3b23da1eed057fd75e91f0N.exe

C:\Users\Admin\AppData\Local\Temp\93ce69d63e3b23da1eed057fd75e91f0N.exe
"C:\Users\Admin\AppData\Local\Temp\93ce69d63e3b23da1eed057fd75e91f0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
52KB

MD5
761bdd9afc4d025c8596de0065a4fa37

SHA1
c1472c46608d209089ff72f804b56d994db30d01

SHA256
c36477c01f02e8df909dcc84aecf040ee6d2584ad8250e59cf79b2cd03472695

SHA512
e5671b1eeed1ab06cb2c39d734f6d2bd5aa923a88cf4dfba52b2f5a85fa3729da988ae21b7091bdc16818cf4d98b7b3b27cf67fa1b99bb4f075f384fb0180f77

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
151KB

MD5
9613940a82ab80e605d6d5f06ca253a7

SHA1
a876d1dd745af4d9814554b7985b9615ff7feff6

SHA256
0211ccc4e1bc90de1c6efe1eff5927ffbf5e83b718f5b4f55dcb90df18238929

SHA512
9360de7a52b23f02202600bacdca667b24f26195acb5216789a493d80a44c46d23e6a7d1910b2b5ee427ae82f6da8c8cb6eef299e61e49d421dd31254bc26f2c

Download Submit