9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89

Analysis

max time kernel
150s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
Size

91KB
MD5

57b3827220b46c470082cf9fdbba269e
SHA1

e98104e0551dabb4b6867ea503136d276ffa84aa
SHA256

9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89
SHA512

e35a78bbc4487fa0a2b75ae4cd1e6fa3b1abc613c484c898e0a32bf89745cfd3a2e11fd28e6575b2b921422a5ced97d6a8fa6c4e2acda7463c37d0efeb69b649
SSDEEP

1536:W7ZhA7dABJJZENTBAOvwdaERm3w0AXtXf:6e76BtE2aiUwlXtXf

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4949) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\lib\security\trusted.libraries.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White.png.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsyml.ttf.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.AccessControl.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Primitives.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Design.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXmlLinq.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\ReachFramework.resources.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_shmem.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-convert-l1-1-0.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebProxy.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationProvider.resources.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN110.XML.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-string-l1-1-0.dll.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONRES.DLL.tmp	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe

C:\Users\Admin\AppData\Local\Temp\9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe
"C:\Users\Admin\AppData\Local\Temp\9748163358fc3143b83d0941e0bd64e8cc7524b1c880035d4848f935f1ca9c89.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
92KB

MD5
d4822ef09b98d485330c6128edd48a0c

SHA1
b965b603a4fdcf97f5015f703eb99ac72ce7e511

SHA256
c2c4f2eca9de7cd05fa593c2db2cf07a69835a5a276c350d44927cf483bd8b14

SHA512
3872d6b43be40ae699dec14241e363778242ea36f4e198987f657156053c15cab3b315683a02195befa8f9464d0f724ad8e4bd6dfec6725a679c09989e6e7bb5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
190KB

MD5
7e5f59d516eb1e7fddc3b3494140ba48

SHA1
d35d06fe9b0f37630e94d2ed10e5a546518e88a6

SHA256
26ffba2506931f9a844fca180bd19db41bf1201a7e118de3a07378561c0b07a9

SHA512
4f3c53bd1592936bbc27d0795ca37733176683b7c9cbe571ae23649df8f87a1679b9cb5f2a04d71494da79c893889af11f3d43dc85a09f9f673821be1c69d9f5

Download Submit