f1a6f093b57b6e96d5ff815980b26b57498143f72e761a3c324afad9d012d5d0

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

962326e9cf6a407fc616275e56657060N.exe
Size

47KB
MD5

962326e9cf6a407fc616275e56657060
SHA1

ae16c487940c810b08aed1fba0f9c038af0de952
SHA256

f1a6f093b57b6e96d5ff815980b26b57498143f72e761a3c324afad9d012d5d0
SHA512

0633a2e6b61fff4a9eda958c5a704f7b449525fb023420abb0381bca83435af7ca44bdbd7ae8a4ed7be5a6a9256cd68d6fbfed92b9511b17f44572d5145d3473
SSDEEP

768:/7BlpQpARFbhNIiJwsJwwnZEQoVeDQoVex:/7ZQpAplJwsJwwnlYl

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4652) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\PUSH.WAV.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLPROXY.DLL.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NetworkInformation.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationCore.resources.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsBase.resources.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.resources.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.resources.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.Windows.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Java\jdk-1.8\README.html.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jli.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nl.pak.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-phn.xrm-ms.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightRegular.ttf.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Annotations.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.resources.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoBeta.png.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.TypeExtensions.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Serialization.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ppd.xrm-ms.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationTypes.resources.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA0009.DLL.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.tmp	962326e9cf6a407fc616275e56657060N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md.tmp	962326e9cf6a407fc616275e56657060N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	962326e9cf6a407fc616275e56657060N.exe

C:\Users\Admin\AppData\Local\Temp\962326e9cf6a407fc616275e56657060N.exe
"C:\Users\Admin\AppData\Local\Temp\962326e9cf6a407fc616275e56657060N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
48KB

MD5
e05fbfaaa5375b78d1e740fbbf4b0048

SHA1
31497781ad0167d7a800f1a615dd25ec27ac7ea7

SHA256
24394c6790a6c1e4895819d25d6383f69f2a3cdcd009c86dafdbbd7831dc4b09

SHA512
69fc6672193d7971017c435c35be609ef621ac066b1ea7923cd02dd862e791b3db6362ba3d34ecb5fcb37dff4626d1e833ec77b3209a45ac7f82ac7623353324

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
ff24e69f88cec60a62ad5f9475b43d21

SHA1
511af2d022a2bc64d173828082a2cf203503aa03

SHA256
c608ed0bdef72f8737680a9a6b09b83258439f2460582b98bcddbb65c62097eb

SHA512
91771695e39fef7ad4debc88aac71d835c6a39df9b8a0c701a420b66bcc7789129cbc9b231ad2dd479112e102986771b9fce4c5571eb9113f73acb72be9e3bac

Download Submit
memory/3064-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3064-860-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download