ec7da469d374cc7fdcf80d0114994e581b12ff011c1b33bceb9228cd09d6d566

Analysis

max time kernel
119s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
Size

47KB
MD5

86c6646d2f23b56cbb8bb7f8f6d9f050
SHA1

ce5aded5d768674922ad9835fb22034643c2fa65
SHA256

ec7da469d374cc7fdcf80d0114994e581b12ff011c1b33bceb9228cd09d6d566
SHA512

e490ad40cbec0e7f9d9af05ab6bcea1480500c4a4f2deab4a952a194c7890de95d42a21fbf9ccf4c1c224a0982902bc78abb470ea30471d166fc18f4d69aeb29
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLNdyGdy/a2al6A2k8g:W7ZppApBULcfpHLcfpyDUdyGdyA2q

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4685) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.MDXQueryGenerator.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.resources.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-pl.xrm-ms.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NameResolution.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-xstate-l2-1-0.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OARTODF.DLL.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Reader.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SLINTL.DLL.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationUI.resources.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Google\Chrome\Application\initial_preferences.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86c6646d2f23b56cbb8bb7f8f6d9f050N.exe

C:\Users\Admin\AppData\Local\Temp\86c6646d2f23b56cbb8bb7f8f6d9f050N.exe
"C:\Users\Admin\AppData\Local\Temp\86c6646d2f23b56cbb8bb7f8f6d9f050N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
48KB

MD5
6208f21acb8d20ff43867250ebf19d45

SHA1
7145990a57f8a35b0a27ee91157a069e07658d12

SHA256
4a2423ba1256e906520800010cf3db7a425a80cc3796ef1332f9e114a1821c9e

SHA512
9fcac018ba223901bff769cb120a0d6250344fc2eb159b7a426b35701e69f248fcf90302a3cfaca0d10391c7cfd7f78442312328fd062e6ff763a5735fc742d3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
7819be9c38fc4302e6e8e39d09fa5b2b

SHA1
79b56ba2b6a292212ba2c5cef77b04ec965c6a00

SHA256
2aead189fe1a3926b444035b942223db28607408a1acdb4a1faa38af763b0839

SHA512
82af7fd8b3dd331de279108862151c5a2404207af7419056cd8e4708b892db499e91397c685786cb2d23fa7b3fbd89c53b89514d2013c3edc360cb3d6f16faff

Download Submit