94cb4ecfbac97d6650b3550e3500548bfe9c16b6639bb87a05f729db41db7502

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c0d709b713d4d430610187c72c950a0N.exe
Size

44KB
MD5

4c0d709b713d4d430610187c72c950a0
SHA1

7c6f8ed93de08781d0483432125108397426ae5f
SHA256

94cb4ecfbac97d6650b3550e3500548bfe9c16b6639bb87a05f729db41db7502
SHA512

fbe81715e764fc3f409829e3fbba2d5cf13569505e7559018e91b13d42214f3b757080ebc56ac430c8f623de992e93d49dd51aa24c41ee0d701b23c2a4edf5f4
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42Lcfpb2N231F1ngig/:W7ZppApBULcfpHLcfpSo3f2x/

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4687) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Primitives.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicudt53_64.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Core.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Presentation.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Json.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationUI.resources.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsFormsIntegration.resources.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsFormsIntegration.resources.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-ms.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClientSideProviders.resources.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javafx_iio.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Common Files\System\ado\msado28.tlb.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Extensions.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Java\jre-1.8\LICENSE.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ppd.xrm-ms.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ar.pak.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Primitives.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorrc.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Tar.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebHeaderCollection.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-100.png.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxcompiler.dll.tmp	4c0d709b713d4d430610187c72c950a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c0d709b713d4d430610187c72c950a0N.exe

C:\Users\Admin\AppData\Local\Temp\4c0d709b713d4d430610187c72c950a0N.exe
"C:\Users\Admin\AppData\Local\Temp\4c0d709b713d4d430610187c72c950a0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
44KB

MD5
02213a3e3c54f333bd35ab2ed36d369f

SHA1
7d89e48afbde477441fc0f492bd6fd989dc0987d

SHA256
17aaa72a34d808828ade4b7a42d978d46d6ec3b466d719d710d68927a14c10ab

SHA512
6373c556061433a105221d31703a3e529443d8e39512dfeaabedcac3dc180e199ef3677bceb015304138d5382aceae7de45efc0fe0ba8bb5c9d6f91bb51192ae

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
da3520368149d428515adb604c8b7f31

SHA1
b33422ca8bcfb49e2b085dcb2bd7fd3b30db4f65

SHA256
ea206fcc5f5e33bd9341c562bb33c227f3a96f5fce6042fa3b466d3e72bf4871

SHA512
b2781c9f92c29ada911fedacd215dccbd19341b5abf1e76612e1394b39333ca8dfc100690bbcb30c1bca8301e3501aecc546f6b11c01ebd4f21145e5dd2564f0

Download Submit