9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
Size

49KB
MD5

d4b688ad1dc3e63223e9982beea304af
SHA1

9cdb0f7ad71f027418503b3f25fb70c6dbe9020b
SHA256

9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407
SHA512

34f130b3ebf72308812a296fdcfe548bd3d78b17777bab903b615e9179d230b5af2331dbdd74331458ee63a96dcc30d11a0319cdf5506b8166a4772607ec1783
SSDEEP

384:GBt7Br5xjL9AgA71Fbhv7bhvo42L5FgAytBVRz:W7BlpppARFbhjbhg42LcfT

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5026) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Java\jre-1.8\lib\resources.jar.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SignalRClient.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pt-BR.pak.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\manifest.xml.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OARTODF.DLL.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7.wmv.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\ReachFramework.resources.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationFramework.resources.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-phn.xrm-ms.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsFormsIntegration.resources.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoCanary.png.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Java\jre-1.8\release.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationProvider.resources.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Java\jre-1.8\bin\splashscreen.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansRegular.ttf.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClient.resources.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.Primitives.resources.dll.tmp	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe

C:\Users\Admin\AppData\Local\Temp\9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe
"C:\Users\Admin\AppData\Local\Temp\9a49a9b0e634031dde83e3a0ce184ef86e4aa6c5017d21aa16d36b59430b3407.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4208,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4436 /prefetch:8
1⤵
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
49KB

MD5
698ea1b1df4e109b70a78dfdfaf8db2e

SHA1
d8f7b0790f7f81ebcf5ddf17de9748edd575fdad

SHA256
c74506800747236604353e49f10df06d743bf42b8bbbc9a8db1947bf0a3023eb

SHA512
9e73cce36de1a77bc0c67ab4a2f150b2cb6c933787adb6d7e089e8e0684e1b7aa19f7f4b42ef247e3cd143ef2ebd32efb5b9dadc4d7031c9a8fed48cbb600d26

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
161KB

MD5
a633281ec9dc57124254e3abddd56e1e

SHA1
eef7ce8a374853a47b374ac41c615994942508c3

SHA256
a01d56978cb4d12e0a717d822dc638150983605f1385d68ea82d88a17369409c

SHA512
4319a5038de85c4e108930b83061657b4686f4e048c57f0bd4cec3067fbb0b5a44d556419776fa563ec7dcc545434df199a1e2b96f2b658d2c4638b015e77038

Download Submit