b23d273e12471c90bbef4157bebcc98f8eb72129a50674a66fbc5279ce6b1c6d

Analysis

max time kernel
119s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66b99e857a0203c1466bc2d5c23058c0N.exe
Size

55KB
MD5

66b99e857a0203c1466bc2d5c23058c0
SHA1

e4ba3e9b2a038850a5fe59c1af3ba31caca780c8
SHA256

b23d273e12471c90bbef4157bebcc98f8eb72129a50674a66fbc5279ce6b1c6d
SHA512

fb1f98daff3f4462d39003897aba3e92f7076ed972ff24c7fcaaaf0548ca988c0d10062b8c949cd60c85d9704b11f735b2e322f81d88d059d23c961a63db89d1
SSDEEP

384:yBs7Br5xjL8AgA71FbhvBfepj3cfepj3KtLJr4S04SCzwzRxFcxFhtiO:/7BlpQpARFbhq1KX101GI7FEFhtiO

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4650) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Primitives.resources.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-process-l1-1-0.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsdt.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\content-types.properties.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul-oob.xrm-ms.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\currency.data.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ja.pak.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrdeush.dat.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.DiaSymReader.Native.amd64.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\am.pak.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\McePerfCtr.man.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.tmp	66b99e857a0203c1466bc2d5c23058c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66b99e857a0203c1466bc2d5c23058c0N.exe

C:\Users\Admin\AppData\Local\Temp\66b99e857a0203c1466bc2d5c23058c0N.exe
"C:\Users\Admin\AppData\Local\Temp\66b99e857a0203c1466bc2d5c23058c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2629364133-3182087385-364449604-1000\desktop.ini.tmp

Filesize
56KB

MD5
f1960cefa9c1c1898d9de3f5f3582a44

SHA1
dab4ef5a8a996d1130560e42d40e211bcdfd349c

SHA256
898bcbaccd5066a5f7237ec82e5a985051dbc81fe279fcde9d8c34c755fa7344

SHA512
6bcc89688103dcda5c646edc0087c1aed72c585928720916c4db477742db2b1c014d390956f370bd84290389bad164212830d9fd6e2508dc5b02a58394dea759

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
154KB

MD5
645d02bdd1f73d650e07155ae62bea58

SHA1
6b49e4a70ca75c73078f87bcc38939ddd4d3f550

SHA256
7d2d5c7c2270c98bdea55069e623e834dec193555809ccc5321020fc201ca22e

SHA512
a0b91f1466d82730068009534f34659a4948ad2a8ecb53e5292bd979835333a100eef40510443798771ac08a54cb79545c7cf5fa97644e624a82634d30b928f0

Download Submit
memory/2284-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2284-786-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download